I can confirm now that different configuration combine themselves, i made the following test: Server: agent.conf
<agent_config name="windows01"> <syscheck> <directories check_all="yes">D:\ossec-test2</directories> </syscheck> </agent_config> > <agent_config name="windows01"> <syscheck> <directories check_all="yes">%PROGRAMFILES%/Application 111</directories> </syscheck> </agent_config> > <agent_config os="Windows"> <syscheck> <directories check_all="yes">%PROGRAMFILES%/Application 222</directories> </syscheck> </agent_config> 1. Restart ossec server control in debug mode (/var/ossec/bin/ossec-control enable debug && /var/ossec/bin/ossec-control restart) 2. Restart agent 2. Wait until *ossec-remoted: DEBUG Sending file 'merged.mg <http://merged.mg/>' to agent *message comes up in ossec.log *3. *Check on Agent host that file* agent.conf* is created and it has the following content: Client: agent.conf <agent_config name="windows01"> <syscheck> <directories check_all="yes">D:\ossec-test2</directories> </syscheck> </agent_config> <agent_config name="windows01"> <syscheck> <directories check_all="yes">%PROGRAMFILES%/Application > 111</directories> </syscheck> </agent_config> <agent_config os="Windows"> <syscheck> <directories check_all="yes">%PROGRAMFILES%/Application > 222</directories> </syscheck> </agent_config> 4. Check Agent -> ossec.log : *2016/02/11 16:31:52 ossec-syscheckd: INFO: Monitoring directory: > 'D:\ossec-test2'.* > *2016/02/11 16:31:52 ossec-syscheckd: INFO: Monitoring directory: > 'C:\Program Files (x86)/Application 111'.* > *2016/02/11 16:31:52 ossec-syscheckd: INFO: Monitoring directory: > 'C:\Program Files (x86)/Application 222'.* I had to restart Agent several times until it applies new configuration. My personal conclusion is: OSSEC Server will write everything from agent.conf into merged.mg which will be pushed to agent/merged.mg, the agent will extract from merged.mg to agent.conf all the configuration and will read and load all the configuration which match name, os or profile, it does not matter if you have several different <agents_config>. I hope i explained myself, like you notice English is not my mother language. On Thursday, February 11, 2016 at 2:30:56 PM UTC+1, Pedro S wrote: > > Hi again James, > > I just tested and I can see how both configurations are pushed to the > agent, OSSEC always push agent.conf entire file to all the agents, you can > open the file on your agent to check if everything is already received: > > *OSSEC file "/var/ossec/etc/shared/merged.mg <http://merged.mg>" * > > If you enable debug mode you will see on ossec.log when the merged.mg is > pushed: > > * 016/02/11 05:09:18 ossec-remoted: DEBUG Sending file 'merged.mg > <http://merged.mg>' to agent.* > > Regarding if OSSEC combine all the configuration blocks, i think it does > because the following C code: > > *https://github.com/wazuh/ossec-wazuh/blob/master/src/config/config.c#L201 > <https://github.com/wazuh/ossec-wazuh/blob/master/src/config/config.c#L201>* > > There is a *while* loop searching for matchs of "os=?", "name=?" and > "profile=?", the loop keep going until last element is read, so i think it > will read everything, not only the first match. > > > Let me check it and i will update you in a while. > > > > > > > On Thursday, February 11, 2016 at 1:21:46 PM UTC+1, James Glaves wrote: >> >> Hi, >> I push out OSSEC configuration to all our Windows agents using shared >> agent.conf. I have a question about how the agent interprets the different >> options: >> >> <agent_config name="agent1"> >> <agent_config os="Windows"> >> >> What isn't clear to me, will "agent1" match only the first agent_config >> it finds? Or will it continue through all the agent_config's and combine >> the results? >> >> For example, can I combine agent-specific configuration which applies to >> agent1 only with standard Windows configuration that applies to all Windows >> agents. Or do I need to include all the standard Windows configuration >> together with the specific configuration in the single named agent_config? >> >> Example, will this work? Will "agent4" combine IIS, Exchange, and Windows >> rules? >> >> <!-- Specific config for End User Desktop's --> >> <agent_config name="agent1|agent2|agent3"> >> <syscheck> >> <directories check_all="yes">%PROGRAMFILES%/Application >> XYZ</directories> >> </syscheck> >> </agent_config> >> >> <!-- Specific config for IIS Server's --> >> <agent_config name="agent4|agent5"> >> <localfile> >> <location>%WinDir%\System32\LogFiles\W3SVC1\u_ex%y%m%d.log</location> >> <log_format>iis</log_format> >> </localfile> >> </agent_config> >> >> <!-- Specific config for Exchange Server's --> >> <agent_config name="agent4"> >> <localfile> >> <location>F:\Connectivity Logs\CONNECTLOG%Y%m%d-1.LOG</location> >> <log_format>iis</log_format> >> </localfile> >> </agent_config> >> >> <!-- General Windows config for all Windows agents --> >> <agent_config os="Windows"> >> <localfile> >> <location>Application</location> >> <log_format>eventlog</log_format> >> </localfile> >> >> <localfile> >> <location>Security</location> >> <log_format>eventlog</log_format> >> </localfile> >> >> <localfile> >> <location>System</location> >> <log_format>eventlog</log_format> >> </localfile> >> </agent_config> >> >> Thanks, >> jjrbg >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
